From 89f562968f0c8c23bcb16bbccfc839525ffb7e1e Mon Sep 17 00:00:00 2001 From: BlackDex Date: Mon, 3 Feb 2025 16:27:33 +0100 Subject: [PATCH] Fix icon redirect not working on desktop We also need to exclude the header in case we do an external_icon call. Fixes #5535 Signed-off-by: BlackDex --- src/util.rs | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/util.rs b/src/util.rs index ecd079cf..f967925e 100644 --- a/src/util.rs +++ b/src/util.rs @@ -56,13 +56,17 @@ impl Fairing for AppHeaders { res.set_raw_header("X-Content-Type-Options", "nosniff"); res.set_raw_header("X-Robots-Tag", "noindex, nofollow"); - if !res.headers().get_one("Content-Type").is_some_and(|v| v.starts_with("image/")) { - res.set_raw_header("Cross-Origin-Resource-Policy", "same-origin"); - } - // Obsolete in modern browsers, unsafe (XS-Leak), and largely replaced by CSP res.set_raw_header("X-XSS-Protection", "0"); + // The `Cross-Origin-Resource-Policy` header should not be set on images or on the `icon_external` route. + // Else some clients, like the Bitwardem Desktop will fail to download the icons + if !(res.headers().get_one("Content-Type").is_some_and(|v| v.starts_with("image/")) + || req.route().is_some_and(|v| v.name.as_deref() == Some("icon_external"))) + { + res.set_raw_header("Cross-Origin-Resource-Policy", "same-origin"); + } + // Do not send the Content-Security-Policy (CSP) Header and X-Frame-Options for the *-connector.html files. // This can cause issues when some MFA requests needs to open a popup or page within the clients like WebAuthn, or Duo. // This is the same behavior as upstream Bitwarden.